The Coroner’s Toolkit–How The FBI Recovers Deleted Files Using Free Software

The FBI recovers deleted files to help with investigations and prosecution. Bad guys will never stop trying to cover their tracks by deleting files–so the good guys developed a suite of free tools that let anyone recover deleted files. The tools presented in this article were used in FBI investigations that processed 1,756 terrabytes of data as part of over 4,500 cases in 2009, the most recent year for which data is available.

Recovering Deleted Files Basics: What Happens When A File Gets Deleted

For whatever reason, you decide to delete the file foo.docx from your computer. You open Windows Explorer, go to the directory holding foo.docx, highlight the file, and press the delete key on your keyboard. Sometime later–maybe minutes later, maybe weeks later–you clear out your Trash folder. As far as Windows is concerned, this means you want to permanently delete foo.docx, so Windows gets to work:

1. Windows checks to see if the file appears in multiple directories, a feature borrowed from Unix and Linux called hard links. If the file exists in multiple locations, Windows doesn’t delete the file–it just removes its entry from your Trash directory.
2. Windows puts a note in its journal that foo.docx should be deleted. It may sound silly for an operating system to have a journal, but the journal ensures that the computer can quickly recover if there’s a sudden crash or power loss.
3. Windows opens up the Master File Table (MFT), finds foo.docx, and removes its entry. Note: this does not delete the file, it just makes it impossible for Windows to find it anymore.
4. Windows removes the note it put in its journal earlier. Windows is done deleting foo.docx.

After the file is deleted, all of its data still exist on your disk drive. There’s just no record of where the file is on your disk drive, so standard programs can’t find it. I use a Super Data Rescue Package to recover clients files and save time but there are free options available.

The Four Secrets To Recovering Deleted Files

Secret One: The sooner you try to recover a file after its been deleted, the greater your chance of success. That’s because Windows will write new files on top of old, deleted files. Once a new file gets written on top of the deleted file, there’s no way to recover the whole deleted file.
If you just deleted a file that you really need, you can almost guarantee it won’t be overwritten by immediately unplugging your computer from the wall. Of course, this means none of the other open files on your computer will be saved.
Secret Two: Smaller files are easier to recover than bigger files. That’s because the Window’s filesystem (NTFS) uses fragmentation to maximize the amount of space you can use on your disk drive. Smaller files have fewer fragments, making it easier to find all the parts of the file. The ideal number of fragments is one.
A useful corollary is that you’ll have better success retrieving deleted files if you regularly defragment your drive. After defragmenting, almost every file will have only one fragment.
Secret Three: You need to know the type of file in order to recover it. The only place the filename is stored on Windows is the Master File Table (MFT), so you can’t search for files by filename after the file is removed from the MFT. You need to know what type of file it is in order to find it–in our example, we assume foo.docx was a Microsoft Word 2007 or 2010 file.
Secret Four: You need to ensure the disk drive runs as read-only before you attempt to recover files. This is to prevent Windows from overwriting the file you want to recover. Many USB drives and some USB disk drive enclosures have a read-only switch–this works great: safely remove the drive or unplug the USB cord like usual, toggle the switch, and reinsert the drive or cord.
Some internal disk drives have a read-only switch, although you may need to mess with electric jumpers to toggle it. Unfortunately most internal disks don’t have a read-only switch and, what’s worse, Windows doesn’t like to boot from a read-only disk. We’ll deal with this problem in the next section.

How the FBI Recovers Deleted Files

The original set of programs for low-level file recovery is called The Coroner’s Toolkit (TCT). TCT was incorporated into other more advanced toolkits which will be described here called The Sleuth Kit (TSK) and Autopsy.

Despite their morbid names, TSK and Autopsy are vibrant tools capable of assorted tasks. They don’t run on Windows directly–you need to run them from a Linux live DVD or virtualization program like VMWare. This won’t remove or damage your Windows installation and it can lets you access your drive in read-only mode.
Although there are many Linux live DVDs and virtual environments that contain TSK and Autopsy, we suggest BackTrack Linux available at backtrack-linux.org. Unless you’re familiar with VMWare, you should download the DVD ISO image and burn it to a DVD. Then place the DVD in the computer with the deleted file and reboot.

After BackTrack finishes loading, you’ll find a stylized K where the Start menu usually appears in Windows. Click the K, go to the BackTrack menu, Go do the Digital Forensics menu, and choose Launch Autopsy. Then open the Web Browser (a globe icon next to the K icon) and browse to http://localhost:9999/autopsy.
Autopsy is an easy-to-use HTML-based frontend to the dozens of commands in TSK. On the main screen of Autopsy, you want to create a New Case, then follow the menus. When you get to the File Analysis screen, choose “Show All Deleted Files”. It will take a long time for all of the files to appear–TSK must scan every unused bit of your disk drive to see if it contains a deleted file. You can expect the process to take about 1 minute for every 10 GBs on your disk drive.
After TSK finds all the deleted files, you can sort through them to find the file you need. Then all you need to do to recover the deleted file is click on its link and save it.
To use these tools, sometimes you need to fix failed hard disks before proceeding to get your files back like the FBI recovers deleted files

How To Repair FltMgr SYS Blue Screen Errors:

On WindowsFltMgr.sys is a file that is utilized by Windows to manage several features in your hard drive and files. FltMgr is short for Microsoft Filesystem Filter Manager, and its core function is to ensure that all the data on your system’s hard drives is correct and error-free. The FltMgr.sys file error typically occurs whenever Windows fails to process or read files that are kept on hard drivers, due to the fact that your system’s FltMgr is either damaged or corrupted. When things like this happen, your hard drive will stall and the blue screen error will come up.

What Is The FlrMgr.sys Error & How To Fix It?

The main reason as to why errors in FltMgr.sys occur is that the file becomes either unreadable or damaged. On occasions where the file is corrupted or damaged, the error message will be repeatedly flashed on your screen. It should be noted that the most common cause of the FltMgr.sys error is just temporary in nature and can be fixed by simply restarting your PC. This tutorial will teach you the different approaches in fixing this error when the cause is something more problematic.

How To Fix FltMgr.sys Errors On Your PC

What you will want to do first when you see the FltMgr.sys error in your system is to restart your PC. Click on the Windows icon in your Windows Bar, then select Restart. This method may look over-simplistic, but its effectiveness cannot be overlooked since in many cases the error happens simply because the File System Manager was not loaded correctly when your computer first booted up. This may be due to an update that is disrupting your PC’s loading process or other similar factors. By restarting your PC, you will be able to clear your computer’s RAM and enable it to boot up cleanly.
The registry is also a big cause of fltmgr.sys errors on your computer. This is basically a big database which stores all the important files & settings for Windows inside, allowing your PC to read all the vital pieces of information that are required to run – boosting the performance of your system for good. The reason why this is the case is that your registry will be slowing down your computer’s speed. When programs fail to load in your PC, it will only be a matter of time before costly errors such as Error 1719 surface. To fix errors in your registry, you will need to use a trustworthy registry cleaner to do the job. A registry cleaner will scan this database and then fix any problems within it quickly and efficiently. It is an automated tool and so it doesn’t require you to have extensive computing experience to use it.